Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to make it clear: do I need to copy Let's Encrypt certificates every 3 months to get TLS to work for BOTH the server and the client? #4621

Open
1 of 11 tasks
Kenya-West opened this issue Jan 5, 2025 · 3 comments
Open
1 of 11 tasks

Need to make it clear: do I need to copy Let's Encrypt certificates every 3 months to get TLS to work for BOTH the server and the client? #4621

Kenya-West opened this issue Jan 5, 2025 · 3 comments

Comments

@Kenya-West
Copy link
Contributor

Kenya-West commented Jan 5, 2025
edited
Loading

Describe the feature request

I have a setup like this:

# For actual proxying using TCP connections without TLS
some web service <- frpc <- [token auth] <- frps 

# For seeing stats in browser securely with SSL
frps web dashboard <- Caddy

Configs are (templated by Jinja2):

Details

frps.toml:

bindPort = {{ docker_service_vars.frp.server_port }}
allowPorts = [
  { start = {{ docker_service_vars.frp.range_ports_1_start }}, end = {{ docker_service_vars.frp.range_ports_1_end }} }
]
webServer.addr = "0.0.0.0"
webServer.port = {{ docker_service_vars.frp.dashboard_port }}
webServer.user = "{{ docker_service_vars.frp.dashboard_user }}"
webServer.password = "{{ docker_service_vars.frp.dashboard_password }}"
auth.method = "{{ docker_service_vars.frp.auth_method }}"
auth.token = "{{ docker_service_vars.frp.auth_token }}"

frpc.toml:

webServer.addr = "0.0.0.0"
webServer.port = {{ proxy_client.frpc.client_dashboard_port }}
webServer.user = "{{ proxy_client.frpc.client_dashboard_user }}"
webServer.password = "{{ proxy_client.frpc.client_dashboard_password }}"
serverAddr = "{{ proxy_client.frpc.server_address }}"
serverPort = {{ proxy_client.frpc.server_port }}
auth.method = "{{ proxy_client.frpc.client_auth_method }}"
auth.token = "{{ proxy_client.frpc.client_auth_token }}"

{% for proxy in proxy_client.frpc.proxies %}

[[proxies]]
name = "{{ proxy.name | default(inventory_hostname) | default(ansible_host) | default('ssh_proxy') }}"
type = "{{ proxy.type | default('tcp') }}"
localIP = "{{ proxy.local_ip | default('127.0.0.1') }}"
localPort = {{ proxy.local_port }}
remotePort = {{ proxy.remote_port }}
{% endfor %}

So far so good without TLS. But I want to switch to TLS-only connections.

Caddy updates certificates on time and (as for now) just proxies for FRPS dashboard with SSL.
The actual frps<---[tcp]--->frpc connections FRPS does by itself without any TLS.

If I switch to SSL/TLS only, I need to copy Let's Encrypt certs from Caddy to both FRPS and FRPC, right? Or do I need to set certificates only in frps.toml, and the client will automatically switch to TLS?

Making certificates accessible for one server is OK. But to distribute certs for all the clients on regular basis adds unnecessary complexity to an already complicated infrastructure.

Describe alternatives you've considered

Alternative is to sit still and being happy without TLS

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
@fatedier
Copy link
Owner

fatedier commented Jan 6, 2025

By default, traffic between frpc and frps is encrypted using randomly generated certificates. You only need to provide your own certificates if you require additional authentication. Whether you need to update certificates on frpc depends on whether you require mutual TLS (mTLS) for bidirectional authentication. Without mTLS, it’s sufficient to configure certificates only on frps. This simplifies the setup, as you don't need to distribute certificates to all clients unless mutual authentication is a strict requirement in your environment.

@Kenya-West
Copy link
Contributor Author

Thanks for trying to help. But maybe I simplified the problem too much.

I try to explain again (sorry for possible misunderstanding before):

I setup a web service on my laptop, that serves only by HTTP. It is restic REST backup server if you need to know.

I need FRP to reverse proxy to this HTTP service only by HTTPS. Can FRP do this?

Currently, I have such configs (more detailed):

frpc.tml:

Details 

webServer.addr = "0.0.0.0"
webServer.port = 7400
webServer.user = "user"
webServer.password = "password"
serverAddr = "subdomain.example.tld"
serverPort = 7000
auth.method = "token"
auth.token = "sometoken"
transport.tls.enable = true
transport.tls.certFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.crt"
transport.tls.keyFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.key"
transport.tls.serverName = "subdomain.example.tld"

[[proxies]]
name = "mylaptop"
type = "tcp"
localIP = "127.0.0.1"
localPort = 23001
remotePort = 22001

[[proxies]]
name = "mylaptop_restic_server"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8010
remotePort = 22002

frps.toml:

Details 

bindPort = 7000
vhostHTTPPort = 8080
vhostHTTPSPort = 8443
allowPorts = [
  { start = 22001, end = 22089 }
]
webServer.addr = "0.0.0.0"
webServer.port = 7500
webServer.user = "user"
webServer.password = "password"
auth.method = "token"
auth.token = "sometoken"
transport.tls.force = true
transport.tls.certFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.crt"
transport.tls.keyFile = "/etc/frp/certs/subdomain.example.tld/subdomain.example.tld.key"

Right now, it gets error from restic that HTTP response is sent through HTTPS connection:

Details 

$kenyawest: ~/backup-restic-node/autorestic ❯ sudo scripts/update.sh
Using config:    /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.yaml
Using env:       /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.env
Using lock:      /home/kenyawest/backup-restic-node/autorestic/config/.autorestic.lock.yml


    Backing up location "home_user"

Backend: server
> Executing: /usr/local/bin/restic backup --tag ar:location:home_user /home/kenyawest
Fatal: unable to open config file: Head "https://user:***@subdomain.example.tld:22002/config": http: server gave HTTP response to HTTPS client
Is there a repository at the following location?
rest:https://user:***@subdomain.example.tld:22002/

home_user@server:
Fatal: unable to open config file: Head "https://user:***@subdomain.example.tld:22002/config": http: server gave HTTP response to HTTPS client
Is there a repository at the following location?
rest:https://user:***@subdomain.example.tld:22002/
exit status 1

Error: 1 errors were found

The documentation has a paragraphs about my exact specific use case:

Details

Enable HTTPS for a local HTTP(S) service

You may substitute https2https for the plugin, and point the localAddr to a HTTPS endpoint.

  1. Start frpc with the following configuration:
# frpc.toml
serverAddr = "x.x.x.x"
serverPort = 7000

[[proxies]]
name = "test_https2http"
type = "https"
customDomains = ["test.example.com"]

[proxies.plugin]
type = "https2http"
localAddr = "127.0.0.1:80"
crtPath = "./server.crt"
keyPath = "./server.key"
hostHeaderRewrite = "127.0.0.1"
requestHeaders.set.x-from-where = "frp"
  1. Visit https://test.example.com.

But even with the same certificates both on client and server, FRP cannot wrap/transform/remap HTTP traffic to HTTPS one.

Does that mean it is not FRP's job?

@fatedier
Copy link
Owner

fatedier commented Jan 7, 2025

Maybe try this: https://github.com/fatedier/frp?tab=readme-ov-file#enable-https-for-a-local-https-service

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fatedier @Kenya-West